On March 31, 2026, Anthropic released version 2.1.88 of its @anthropic-ai/claude-code npm package. Hidden inside was a source map file — a debugging artifact — that contained the complete, unobfuscated TypeScript source code for Claude Code. The version has since been pulled from npm, but the damage was already done.

Security researcher Chaofan Shou was first to spot it on X. Within hours, the codebase had been mirrored across GitHub, amassing over 84,000 stars and 82,000 forks. Anthropic confirmed the incident, calling it "a release packaging issue caused by human error, not a security breach."

"No sensitive customer data or credentials were involved or exposed."

— Anthropic spokesperson

What the leaked code revealed

Developers who dug into the source uncovered a detailed map of Claude Code's internal architecture — and several features that were never publicly announced.

Hidden features found inside

KAIROS — A persistent background agent mode. Claude Code can run tasks, fix errors, and send push notifications to users entirely on its own, without waiting for input.Dream mode — Claude thinks continuously in the background, developing and iterating on ideas even when a user is idle.Undercover mode — A stealth contribution mode for open-source repositories. The system prompt instructs: "Do not blow your cover" when making commits or pull requests.Anti-distillation traps — The system injects fake tool definitions into API requests to poison training data if competitors attempt to scrape Claude Code's outputs.Multi-agent orchestration — Claude Code can spawn "sub-agents" or entire swarms to handle complex, long-running tasks in parallel.

The security fallout

With Claude Code's internals now public, security researchers warn that attackers no longer need to guess at vulnerabilities — they can study the exact data flow and craft targeted exploits.

AI security firm Straiker noted that attackers can now fuzz Claude Code's four-stage context management pipeline and craft payloads designed to persist across long sessions — effectively planting a backdoor that survives memory compaction.

Active threat — action required: Users who installed or updated Claude Code via npm on March 31 between 00:21 and 03:29 UTC may have pulled a trojanized version of the Axios HTTP library (versions 1.14.1 or 0.30.4) containing a remote access trojan. Downgrade to a safe version and rotate all secrets immediately.

Typosquatting attack already underway

Attackers are already exploiting the leak. A user named "pacifier136" published five npm packages named after internal Claude Code dependencies, waiting to push malicious updates to anyone who installs them:

audio-capture-napi

color-diff-napi

image-processor-napi

modifiers-napi

url-handler-napi

Researcher Clément Dumas warned: "Right now they're empty stubs, but that's how these attacks work — squat the name, wait for downloads, then push a malicious update." Do not install any of these packages.

Second major incident in a week

This is not Anthropic's first recent slip. Just days earlier, internal files — including a draft blog post referencing an upcoming model described as "the most capable we've built to date" — were left accessible on a publicly reachable content management system. Anthropic confirmed it has been testing that model with early access customers.